CVE-2024-43783

Name of the Vulnerable Software and Affected Versions Apollo Router versions 1.7.0 through 1.52.0 Apollo Router versions 1.21.0 through 1.52.0

Description The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router are impacted by a denial of service vulnerability if certain conditions are met, including the use of External Coprocessing or Native Rust Plugins with specific configurations. The vulnerability can cause the Router to load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations, leading to out-of-memory termination if a sufficiently large request is sent.

The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include:

Recommendations For Apollo Router versions 1.7.0 through 1.52.0, upgrade to at least Apollo Router 1.52.1. For Apollo Router versions 1.21.0 through 1.52.0 with External Coprocessing, set the coprocessor.router.request.body configuration option to false as a temporary workaround. For Apollo Router versions 1.7.0 through 1.52.0 with Native Rust Plugins, update the plugin to either not accumulate the request body or enforce a maximum body size limit. Limit HTTP body payload sizes prior to the Router, for example, in a proxy or web application firewall appliance.